A STUDY ON HOW A CLOUD SERVICE PROVIDER CAN OFFER ADEQUATE SECURITY TO ITS CUSTOMERS

(1)

A STUDY ON HOW A CLOUD SERVICE PROVIDER

CAN OFFER ADEQUATE SECURITY TO ITS

CUSTOMERS

MSc Information Security Project Report

Name: Robert Farrugia

(2)

Project submission form

Supervisor’s name: Dr Geraint Price Student’s name: Robert Farrugia;

number (SRN): 070440991

address: Tulip Flats, 3, Zamenhof street Msida, MSD 1811, Malta email Address: [email protected]

You are reminded that all work submitted as part of the requirements for any examination of the University of London must be expressed in your own words and incorporate your own ideas and judgement.

Using another’s person’s thoughts or words as though they were your own is considered to be copying or plagiarism. This is not allowed. You must clearly identify direct quotations from the published or unpublished work of another person by placing quotes inside quotation marks, and also provide a full reference to their source. Whether you use a series of short quotations from several different sources or a single long quotation from a single source, they must all be identified clearly. Equally, if you summarise another person’s ideas or judgement, you must refer to that person in you text, and include the work referred to in your bibliography. Failure to observe these rules may result in an allegation of cheating.

I declare that this assignment is all my own work, and that I have acknowledged all quotations from the published or unpublished works of other people.

I declare that I have also read the statement on plagiarism in the General Regulations for Awards at Graduate and Masters Levels for the MSc in Information Security (Section 9) and in accordance with it I submit this project report as my own work

--- Date: 27th March 2011

(3)

Executive Summary

The National Institute of Standards and Technologies and the Cloud Security Alliance both defined the Cloud “as a model for enabling convenient, on-demand network access to a shared pool of

configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” (NIST, Mell, & Grace, NIST Definition of Cloud Computing, 2009) Clouds come in various shapes which

include Software-as-a-Service, Platform-as-a-Service or Infrastructure-as-a-Service.

The objective of this study is to understand whether certification of compliance with PCI DSS, ISO

27001 or with any other international standard attained by a cloud service provider (CSP) can provide assurance to the customer that the risks pertinent to the cloud environment have been adequately mitigated. The main sources of information for this study were the numerous books,

journals, reports and blogs which have already discussed cloud computing. The author has also utilised his work experience related to the field of information security and cloud computing. He has attended conferences specifically related to cloud computing and attended the ISO 27001 Lead Auditor course, with the main objective of understanding better how this and similar standards work in practice.

After having carried out a study of what individual experts and other organizations such as ISACA, the Big Four Firms, ENISA and the Cloud Security Alliance were proposing to secure the Cloud, the author also carried out research to understand how Amazon, Microsoft, Google and Salesforce were claiming to have secured their Cloud. As a result of this study, six standards and frameworks were chosen for the analysis of this research. These are: ISO 27001 / 27002, Trust Services Framework, Payment Card Industry Data Security Standard (PCI DSS), Cloud Controls Matrix (CCM), ISACA’s Cloud Assurance Program (CCMAP) and the Statement on Auditing Standards (SAS) No.70.

This study also includes the identification of the Cloud-specific risks which are summarized in the table hereunder:

The risk that, at a point in time, the CSP will lack of the availability of (technical) resources due to incorrect statistical capacity planning or inadequate infrastructural investment or inadequate functionality to limit the usage of its pool of resources

The risk that customers will not be able to access their systems due to the interruption of the Internet service, since within the Cloud there is a dependency on the internet

The risk that data is intercepted whilst being transferred between the Cloud and the customer or within Cloud infrastructure itself

The risk of the CSP having insecure storage of data

The risk that is data is not effectively deleted within the CSP’s system

The risk that hardening procedures management is not effective resulting in an insecure Cloud environment The risk that the CSP operates inadequate cryptographic management procedures

The risk that a CSP operate an unreliable service engine

The risk of having the failure of the isolation mechanism within the cloud infrastructure The risk that the CSP offers to its customers an unreliable management interface

(4)

The risk that the Cloud is not adequately protected against a distributed denial of service (DDOS) attack The risk that customers are paying more than they should really be paying resulting in economic denial of service

The risk that customers are dependent on their CSPs

The risk that the customers will lose governance on a number of security requirements

The risk is that loss (by customers) will be incurred due to activities carried out by another customer who is on the same Cloud

The risk that customers cannot always achieve compliance to international standards due to the complexities of the Cloud or because the CSP is not compliant with such standards. .

The risk that the CSP’s terminates its services.

The risk that as a result of the acquisition of a CSP, non-binding security agreements between the original CSP and its customers are jeopardized

The risk of having the deterioration or unavailability of the CSP’s services as a result of the supply chain failure

The risk that a CSP is non-compliant with legal requirements

The risk that the CSP changes its location to a relatively unsafe jurisdiction

The risk that subpoenas requirements for one Cloud customer may adversely impact all CSPs operation The risk that licensing agreements which do not cater for the complexities found within the Cloud have an adverse financial impact on the customer

The risk that a CSP does not comply with customer’s requirements related to the data protection law The risk that CSP does not provide all the privacy rights required by the customers

The risk that customers may lose intellectual property associated with the data that they store on the Cloud

Each standard that has been selected was analysed to understand the extent of the protection offered vis-à-vis the Cloud-specific risks described above. This study provides a number of notions that can be used to protect a cloud computing environment. However, none of these standards and

frameworks was deemed suitable to provide assurance with regards to the security of a cloud computing environment mainly because none of these standards and frameworks completely

mitigates the Cloud-specific risks. Other features found in the standards and frameworks, such as the certification mechanism, were also taken into consideration to arrive to such conclusion. As a result of the above analysis, the author came up with a number of recommendations for the creation of a Cloud-specific standard. The main recommendations included that:

 the standard should include only specific criteria such as those found in the Trust Services Framework and PCI DSS and should be Cloud-specific such as the controls described within the CCMAP;

 these controls should be seen only as a minimum requirement and therefore a risk based approach with continuous improvement (such that offered by ISO 27001) should be included;

 a third party certification, which would result in a report available to customers and prospective ones, should also be in place;

 such standard should also include key performance indicators which are publicly available so as customers can compare the security level of various CSPs; and

(5)

Preface

Students reading the MSc Information Security course of Royal Holloway are required to work on a project with a view to demonstrate three specific skills described hereunder:

1. Skill 1: Work independently on an information security related project for which they have defined objectives and rationale;

2. Skill 2: Apply knowledge about aspects of information security to a particular problem, which may be of an engineering, analytical or academic nature;

3. Skill 3: Produce a well-structured report, including introduction motivation, analysis and appropriate references to existing work.

All work carried out within this project has been carried out independently by the author. Even though the project consists of a significant amount of research and reading, the author made use of such research as a guideline to formulate his opinions and views on the problem at hand. Working independently does not mean working without any support and help. Therefore, one has to thank all those who provided support throughout the completion of this project, especially my girlfriend Yelena Formosa, my parents Alfred and Isabelle Farrugia, my sister Diane Farrugia and my grandfather Joseph Muscat. Special thanks also go to my employer Mr Eric Muscat for all the support during my studies. I would also like to thank Mr Hadrian Sammut and Ms Melody Morgan-Busher for reviewing my work. Last but not least, special thanks goes to my tutor Dr Geraint Price who guided me throughout the project, challenged my ideas and was always available when in need. As an analytical person, the obvious choice for the author was to analyze a problem with a view to obtain an understanding of what the real aspects of the subject chosen are and also to comprehend what different approaches are being suggested. The analysis also includes a critique of a number of methodologies that are currently being employed in order to understand how they compare to each other and how applicable they are to solve the problem at hand.

The report is structured to provide readers with a continuous flowing reading experience to easily comprehend the problem and the analysis carried out. In other words, the report is divided into a number of sections to aid readers understand the motivation for the choice of subject and the problem at hand, understand the topic, get an overview of the approaches and methodologies currently available to secure such environment and understand the analysis that has been conducted. The tone of the report is intended to be non-technical.

(6)

To my dear ones

My parents Alfred and Isabelle My sister Diane My grandfather Joseph

(7)

1. Introduction

Living in Malta, a country where the information security culture is still in its infancy, a number of topics for this project which could aid the evolvement of such culture came to mind. During this uncertainty, a friend of the author, George, approached him with a dilemma. George had owned a small marketing company for a number of years. After having had a number of issues with his old IT system, he decided to buy a couple of new servers and employ another administrator to take care of the whole infrastructure. Being a curious and diligent chap, George was carrying out some research before he bought the equipment. This is when he came across the term cloud computing. He could not understand how this system works. However, he understood that it might be an advantageous choice to use this kind of system. Therefore, he asked the author for an opinion on cloud computing. Some brief research was carried out, but George and the author were left with a number of unanswered questions, especially those related to the protection of information. As a result, George steered away from cloud computing. Yet, a sense of curiosity of the author initiated the research for this project.

1.1 Background

Cloud computing has gained momentum in recent years. It has caught the interest of a number of individuals, not to mention businesses and non-profit organisations. Like any IT system, and perhaps even more so, it has a number of connections to information security, a topic close to the author’s heart. A quick look at cloud computing indicates that there is some confusion around how to secure this environment, what standards are applicable to provide assurance on its security, and ultimately whether this environment can be efficiently secured. The wish of the author is that this research would be of assistance to organisations, similar to the one owned by George, by helping them take an informed decision on whether it is feasible, from a security perspective, to focus their IT strategy on the use of cloud computing.

1.2 Objectives of the project

(10)

© Robert Farrugia SRN 070440991 2 Cloud computing is changing the way we look at the IT environment. Due to its distinct characteristics we may be in a situation where the current information security standards are not applicable to the security requirements of cloud computing. The author is on a quest to understand

whether certification of compliance with PCI DSS, ISO 27001 or with any other international standard attained by a cloud service provider (CSP) can provide assurance that the risks pertinent to the cloud environment have been adequately mitigated.

To arrive to such a conclusion, a number of tasks need to be carried out. These have been divided into 4 objectives, described hereunder:

1. to get a clear understanding of what is cloud computing;

2. to examine how current cloud service providers are offering a secure service to their customers and to understand what is the opinion of experts with regards to mitigating risks found on the Cloud;

3. to identify, from a customers‘ perspective, the risks found within the cloud computing environment; and

4. to analyse how the current standards mitigate the risks identified for this environment. The aggregate result of the above four objectives is a conclusion describing whether a cloud service provider that is certified or compliant with a particular standard provides enough assurance to customers, that the risks related to the Cloud have been mitigated.

1.3 Methodology

Prior to delineating a road map on how to achieve the above objectives it is advisable to define the author’s understanding of the term adequate information security. Undoubtedly, information security deals with the confidentiality, integrity and availability of data. The definition can be extended to include accountability, authorisation, reliability and so on. At all times, the author has kept in mind the notion that the level of security applied to an environment must relate to the level of risks involved in such an environment. In addition, the concept of adequate security takes into consideration the customers’ point of view. Thus, the term adequate security includes any security requirements that cloud customers (users) may have. On the other hand, one must keep in mind that various customers may have differing security priorities. Consequently, the author had to decide where to draw the line. The logical answer to this dilemma was that a cloud service provider should at least offer the minimum baseline security requirements that customers may demand and which are in line with good practice.

(11)

© Robert Farrugia SRN 070440991 3 was mainly focused on cloud computing. Last but not least, the author has attended the ISO 27001 Information Security Management System Lead Auditor course with the main objective of understanding better how ISO 27001 and similar standards are applied in practice.

As part of the methodology applied for this project, the first thing that was required was to research cloud computing. The next logical step was to understand what experts are saying about how the Cloud should be secured and what current CSPs are doing in order to secure their clouds. It was also important to understand how customers are being assured about the level of security achieved by the CSPs.

Following this, one had to identify what threats are related to the Cloud. A decision had been taken to focus mainly on Cloud-specific risks taking also into considerations any concerns and requirements of Cloud customers. Further on, one had to understand the risks of cloud computing, taking also into consideration the customers’ point of view. The analysis had to be carried out against a number of selected standards which compared to the risks identified also during this research. Subsequently the conclusion was based on whether the standards analysed would have mitigated the Cloud-specific risks. What follows is a summary of the contents found in each chapter of this report.

(12)

© Robert Farrugia SRN 070440991 4 Chapter 4, titled ‘Cloud Risk Identification’, is a mixture of research and analysis. The first part of this chapter is the rationale for deciding to take a risk-based approach for this project. This is followed by a brief description of the methodology used to identify the risks found in this environment. This leads us to the listing and description of the risks identified within cloud computing. Each risk is accompanied by a short description of the effects that the risks would have on the customers. The chapter also describes a set of risks that are relevant to both the CSP and customers but have been omitted from this study since they are not Cloud-specific. The conclusion of this chapter provides a rationale for the inclusion, within the analysis of this study, of all Cloud-specific risks that have been identified within this chapter.

In chapter 5 ‘In search of the white cloud’, the author carries out an analysis of how well the standards chosen in chapter 3 mitigate the risks that have been identified in chapter 4. This chapter is divided into seven sections. The first six sections relate to the analysis carried out on the different standards that have been selected. Each of these sections includes the conclusion of the analysis carried out on the Standard related to that section, a summary of the analysis and the rationale for such conclusion. Each analysis focuses on how the controls mitigate the risks. Moreover the analysis takes into consideration various characteristics offered by the individual standards such as certification mechanisms and reporting methods. The last section of this chapter also provides the author’s opinion of how the Cloud should be secured. The detailed analyses of how the controls of each standard mitigate the cloud specific risks are found in the appendices (A – E) section

(13)

2. Drawing the Cloud – A definition

Since cloud computing (the Cloud) is the most frequent phrase that is mentioned throughout this research, it deserves a thorough introduction. Different definitions have been put forward to describe it. It is, therefore, of no surprise that some confusion exists on which definition befits it best.

Gartner describes the Cloud as “a style of computing where massively scalable and elastic IT-related

capabilities are provided ‘as a service’ using Internet Technologies to multiple external customers.”

(Iyenga, 2009) Microsoft defines the Cloud as “a collection of devices (servers, PCs, and mobile

devices) using the network to pool resources and work together.” (Microsoft, Securing Microsoft's

Cloud Infrastructure, 2009) Bruce Schneier, Chief Technical Officer of British Telecom and a renowned security expert defines the Cloud as a technique of “…storing your data on someone else’s

computer and accessing it via a network” (Chung & Hermans, 2010, p. 11) The concept of cloud

computing, as described by Schneier, can probably go back to the 1960s, when the first networks were invented. In this case a better word for network, in Bruce Schneier’s definition would be the Internet.

Lately there has been a boost to the concept of providing a service through networks resulting from new technologies and increased bandwidth. This has led to the possibility that services are offered and accessed much more easily through the Internet. In layman’s language the Cloud can be compared to the provision of electricity. To make use of electrical power, businesses do not build their own power stations or rely on generators. They connect to the electrical grid and use the service as needed. Nowadays networks can be compared to the electrical grid, where organisations do not need to buy their expensive hardware and employ technical engineers to administer all the related equipment that comes with it. All they need is an Internet connection to connect to them to the network highway so that they can make use of the services they need, be it access to an operating system, an email service or storage for their data. The National Institute of Standards and Technologies (NIST) and the Cloud Security Alliance (CSA) both defined the Cloud “as a model for

enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” (NIST, Mell, & Grace,

(14)

2.1 Basic characteristics of the Cloud

An effective way to better understand the Cloud environment is to list its basic characteristics:

Distribution of resources

One of the most important features of cloud computing is the ability for users to share high performance machines and resources within. For instance, if we look at the development of applications, by making use of services found on the Cloud, programmers can make use of multiple routines and components that are necessary to develop their own applications. Therefore programmers do not need such components and powerful machines at their end since they can make use of and share these resources found on the Cloud. Another example is that of sharing of working memory (known as RAM). In the Cloud, the amount of RAM that is not used by one organisation can be used by another. Such sharing will result in the higher utilization of resources.

Use of Internet As already defined in the introduction to this chapter, the name cloud computing comes from the fact that the information is generally transferred through the Internet, which historically has been depicted as a cloud. NIST states that the cloud network should be accessible anywhere, by almost any device (NIST, Mell, & Grace, NIST Definition of Cloud Computing, 2009).

(15)

Elasticity Even though distribution of resources has existed for a long time, the Cloud takes such technique to a new level. The elasticity that the Cloud offers to its customers includes a variety of options on how, what, and how much resources to use (processing power, storage etc…) from those available. Vanast Raval, a professor of accountancy at the University of Creighton, USA and an author of two books on information systems and security described this elasticity as similar to “going into a restaurant and choosing

one’s own bread, condiments, whether to toast the sandwich or not – all these decisions rest with the customer. “ (Raval, 2010). This feature makes

the Cloud as scalable as necessary from the perspective of the Clouds’ customers. This is because customers can ‘grow’ their pool of resources and can also reduce it according to their requirements.

Instantaneous provisioning of services

When you plug a light bulb to the power grid you apply electricity into it and you expect it to light. This service, electricity, is provided to you almost instantaneously and you pay only for the electricity you use to light the bulb. The cloud computing environment works very similar in terms of the provisioning of services. As soon as a user requests a service, from the pool of services offered by the CSP, such service is made available to the customer straightaway.

New charging models

(16)

2.2 Shapes of the Cloud

The Cloud comes in various shapes and sizes, incorporating different benefits and issues with each style. Not surprisingly there are various experts, books, research and articles that define these flavours in different ways. For the purpose of this research the author chose three types of cloud categorisation from a pool of literature that were reviewed during this study. The pool of literature included the ‘NIST definition of cloud computing’ (NIST, Mell, & Grace, NIST Definition of Cloud Computing, 2009), ISACA’s white paper ‘cloud computing: Business Benefits with Security,

Governance and Assurance Perspective’ (ISACA, Cloud Computing: Business Beneftis with Security,

Governance and Assurance Perspectives, 2009), and Cloud Security Alliance report ‘Security

guidance for critical areas of focus in cloud computing’ (Alliance, Security Guidance for Crtical Areas

of Focus in Cloud Computing V2.1, 2009) to mention a few. The following are the types of categorisation chosen by the author:

 Software-as-a-Service (SaaS) refers to the capability offered to consumer to use the

provider’s software/application running on its infrastructure. SaaS is all about customer related services and content delivery services. Some examples of SaaS include Salesforce CRM, Google Docs, Hotmail and Microsoft BPOS. These applications are usually accessed through thin clients such as a web browser. The ENISA ‘Information Assurance Framework’ report (ENISA, Information Assurance Framework, 2009, p. 8) lists the responsibilities of CSPs that offer SaaS and customers of SaaS with regards to security. Responsibilities for the CSPs include the physical infrastructural security support and availability; operating system patch management and hardening; security platform configuration and maintenance; system and security monitoring including log collection. On the other hand customers are responsible for compliance with data protection laws vis-à-vis their data; maintenance and management of identity management system and the management of the authentication platform. From this list of responsibilities one notices that within a SaaS, consumers do not manage or control the underlying cloud infrastructure or the application itself. Nevertheless, the customer may be provided with limited user-specific application configuration settings;

 Platform-as-a-Service (PaaS) refers to the capability offered to customers to develop or

acquire applications created using programming languages and tools supported by the provider. Some cloud providers that offer PaaS capabilities include Google App Engine, Force.com, 3tera, Applogic, Heroku and Azure. According to the ‘Information Assurance

Framework’ published by ENISA, (ENISA, Information Assurance Framework, 2009, p. 9) the

responsibilities of providers and customers making use of a PaaS solution remain the same as those described for the SaaS. Within the PaaS, cloud consumers do not manage or control the underlying cloud infrastructure but may have some control over the deployed applications and possibly have control also on the application hosting environment configurations; and

 Infrastructure-as-a-Service (IaaS) refers to the capability offered to customers to use the

(17)

© Robert Farrugia SRN 070440991 9 service API. IaaS services that are currently on the market include Amazon’s EC2 and S3, Terremark Enterprise Cloud, Windows Live Skydrive and Rackspace Cloud. The ‘Information

Assurance Framework’ (ENISA, Information Assurance Framework, 2009, p. 9) states that

CSPs have responsibilities vis-à-vis the physical infrastructural security support and availability and responsibilities on the hosts systems (such as hypervisor, virtual firewall etc.). According to ENISA, customers have responsibilities with respect to the maintenance and management of the identity management system and the management of the authentication platform. Customers are also responsible for OS patch and hardening procedures, configuration of guest security platform, guest systems monitoring, security monitoring and log collection as well as security platform maintenance.

Clouds can also differ according to the type of customers they host. A cloud can be deployed and restricted to one organisation. This kind of setup is known as the ‘private cloud’ (NIST, Mell, & Grace, NIST Definition of Cloud Computing, 2009, p. 2). This has a relative low risk profile but may not be as flexible and scalable as required by its users. Another arrangement of the Cloud is that known as the ‘community cloud’ (NIST, Mell, & Grace, NIST Definition of Cloud Computing, 2009). This cloud is offered to different organisations with the same interests. Also in this case the risks are lower, however one has to consider that the data of competing organisations can be shared within the same storage. The risks start to increase considerably within ‘public clouds’ (NIST, Mell, & Grace, NIST Definition of Cloud Computing, 2009, p. 2). Such a setup is made available to the general public. In the private and community clouds, data owners have control, or at least knowledge, on where the data resides. In public clouds data may be stored in locations that are unknown to the users or customers. A combination of at least two of the three types of Clouds mentioned above is known as the ‘Hybrid Cloud’ (NIST, Mell, & Grace, NIST Definition of Cloud Computing, 2009, p. 2). In this setup, public, community and private clouds remain separate entities. Nevertheless they will be sharing technology. With this type of deployment risks are much higher than those found in a public cloud. Usually data in private clouds have more protection than in the public clouds. Thus the owner of the Hybrid Cloud needs to ensure that data is properly labelled so that it is stored securely according to what is requested by its clients. Since the above models present different levels of risks, the definition of the Cloud within this study incorporates the greatest risks offered by these models.

2.3 A comparison between traditional and cloud computing

The concept of traditional computing in this context refers to a situation in which anything that is related to the IT systems is managed in-house and thus outsourcing is very limited. The characteristics that define cloud computing are very different to the ones found in the traditional computing both from a physical and a logical point of view.

(18)

© Robert Farrugia SRN 070440991 10 mean that the organisation does not know the exact location where the data is being stored. A difference between these two models also influences the role of the IT department within an organisation. The set of skills required for managing hardware and software is reduced, notwithstanding that the in-house IT department may need a different set of skills to manage services on the Cloud. For instance, by making use of the services of a CSP, an organisation may need someone to manage the relationship with the CSP and ensure that the expected service levels are being achieved.

Cloud computing did not surface overnight. From a logical perspective, including data and application services, IBM, through the Service Bureau Corporation had offered to run programs on its computers for its customers way back in the 1950’s. From a physical perspective, organisations have also been using data centres to store their hardware in remote locations rather than in-house. If we look at services usually offered by IT departments we also find a situation where organisations have been outsourcing some, if not all of their IT. However, comparing this type of computing is still somewhat different from what is the Cloud. The Cloud refers to simultaneous notions of resource sharing, elasticity, instantaneous provisioning of services, a complete new charging model and the heavy use of Internet bandwidth.

2.4 Living ‘on Cloud Nine’ - benefits of Cloud Computing

William Shakespeare once wrote “thus we play the fool with the time and the spirits of the wise sit in

the clouds and mock us.” (Shakespear) Even though Shakespeare lived in an era where not even cars

were invented, let alone computers, he seemed to get it right as regards the wise living on the cloud, even though he was referring to a totally different cloud from the matter in subject. The authors of the report ‘From Hype to Future’ (KPMG, From Hype to Future, 2010, p. 24), the authors of the book ‘Cloud Security and Privacy’ (Mather, Kumaraswamy, & Latif, 2009), the authors of the report ‘Ten

Minutes on the Cloud’ (PWC, 10 Minutes on the Cloud, 2010) and many others have stated that

being on the Cloud brings a lot of advantages for a number of reasons. From the literature reviewed by the author, it seems that the benefits mentioned in this section are the main motivators for customers to use the solutions provided by the Cloud as opposed to traditional computing. The benefits listed in this section are however not exclusive and not sorted in any specific order.

(19)

© Robert Farrugia SRN 070440991 11 Another financial advantage inherent in the Cloud is the fact that if an organisation finds that the added investment is not meeting its expectation and thus decides to shut down a particular part of the organisations’ services, all it needs to do, from an IT perspective, is to downgrade or unsubscribe from the services currently used to on the Cloud. This is a great advantage compared to the traditional computing solution where one would lose the initial capital investment.

Besides the advantages of an attractive financial model for investing in IT solutions and instantaneous response and flexibility to the requirements of an organisation, a respectable cloud service provider will also offer a number of features that would be difficult to attain in a traditional in-house computing solution. For instance, cloud service providers can setup their infrastructure in a way so as to provide few, if any, service interruptions and a high quality of service by providing high speed access and storage solutions. In terms of resilience they are able to provide mirrored solutions that can be utilized both for load balancing and also in case a disaster takes place.

(20)

3. Information security within the Cloud

From the definition of cloud computing, provided in chapter 2, it is clear that information security within cloud computing necessitates a closer look. As in any information security assignment, the main objective is to protect information from the loss of confidentiality, loss of integrity and loss of availability.

Before starting to investigate the specific risks that relate to the Cloud, the author would like to provide an overview on how the information security community is proposing to secure this environment and also to understand how experts are proposing to provide assurance to users, on the security of the Cloud. The research also includes a high level description of the security mechanisms employed by some of the top CSPs and also an analysis of the methods used by these CSPs to provide security assurance to their customers.

3.1 The experts’ opinion

In recent years a number of experts have provided their insight on how cloud computing is changing the IT environment, changing business models and also on the risks that the Cloud brings about. Experts have expressed their opinions, through various papers and articles such as those published within the ISACA Journals and the Economist, through books such as Cloud Security and Privacy (Mather, Kumaraswamy, & Latif, 2009) and blogs such as those published by the CIO.Com, SC

Magazine, and Trusted-cloud.com. In the author’s opinion, it is critical to get a comprehensive

understanding of what security professionals deem important when it comes to security within the Cloud.

Writers who have an information security background all mention the importance of having a management system that can provide assurance on the implementation of an adequate level of security within the Cloud. An example of such statement is provided by the authors of the book ‘Cloud Security and Privacy’ (Mather, Kumaraswamy, & Latif, 2009) in which they state that “The first

question a Chief information security Officer must answer is whether she has adequate transparency from cloud service providers to manage the governance (shared responsibilities) and implementation of security management processes (preventive and detective controls) to assure business that the data in the cloud is appropriately protected” (Mather, Kumaraswamy, & Latif, 2009, p. 109). Another

issue that is frequently mentioned by information security experts is the importance that a CSP provides assurance on its compliance with different international standards. For example, this is discussed by the authors of a KPMG report titled ‘Executive Considerations When Building and

Managing a Successful Cloud Service’ in which they state that “CSPs are challenged to establish, monitor, and demonstrate on-going compliance with a set of controls that meets their customers’ business and regulatory requirements”. (Matuszak, et al., 2009, p. 6)

(21)

© Robert Farrugia SRN 070440991 13 the importance of the authentication features within the system engine, the intercommunication of the system engine with other systems and the importance of having a robust engine to ensure availability. Another example of such technical advice can be found in an article titled ‘Cloud Daze’ (Ross S. J., 2010) written by Steven J.Ross. Amongst other things, Steven mentions the importance of having robust encryption mechanisms within the system in order to preserve the confidentiality and integrity of data.

On the other hand, lawyers and business advisors recommend the implementation of resilient service level agreements so as to mitigate the Cloud-specific risks. For instance, Bernard Golden in an article titled ‘The Case Against cloud computing’ that was published on CIO.com (Golden, 2009) points out that SLAs can help an organisation to achieve better IT performance and provide assurance on the implementation of risk management by a CSP.

Other experts provide a holistic view of security requirements according to the industry they work in. It seems that the Health industry in general is looking at the Cloud as an opportunity to improve the management of patients’ records. From an information security perspective the health environment emphasizes, more than other sectors, the importance of assuring that information is available straight away when required. Various governments also seem to have laid their eyes on the Cloud. For instance the U.S. Navy is looking at the opportunities that the Cloud provides, with a view to offer a better service to its agents and soldiers (Jackson, 2009). The U.S. Navy plans to be on the Cloud within the next five years. In an interview, the CIO of the U.S. Navy has indicated that assurance on privilege management is fundamental to their needs. Moreover he stressed the importance of having processes that validated security, such as certifications.

When it comes to providing assurance to customers, it seems that there are mixed views on which standard is the most adequate. However the general opinion is that the management of security should embrace a risk based approach. This sentiment is in line with the opinion expressed by ISACA which suggests that Clouds need “a robust risk management program that is flexible enough to deal

with continuously evolving information risks...” (ISACA, 2009, p. 8). ISO 27001 certification is one of

the practices being put forward with regards to providing assurance on the security implemented on the Cloud. Another standard that is often mentioned for providing assurance on the controls implemented by a CSP is SAS 70. Less popular but still worth mentioning are COBIT, ITIL and PCI DSS standards. It is notable that experts also indicate standards and frameworks that have recently been published by organisations such as the Cloud Security Alliance and ISACA.

(22)

3.1.1 Cloud Security Alliance (CSA)

An organisation that is in the front line of cloud computing security is the Cloud Security Alliance (CSA). Its mission is “to promote the use of best practices for providing security assurance within

cloud computing, and provide education on the uses of cloud computing to help secure all other forms of computing.” (Alliance, www.cloudsecurityalliance.org, 2010) CSA has issued a number of

research papers which provide guidance on the security of the Cloud.

In the research paper titled, ‘Security Guidance for Critical Areas of Focus in cloud computing V2.1’ (Alliance, Security Guidance for Crtical Areas of Focus in Cloud Computing V2.1, 2009), CSA has identified 13 domains that are deemed critical in the provision of a secure service. Within this document, CSA first defines the complexities and magnitudes of different Cloud models and then goes on to suggest that controls need to be aligned to the model of the Cloud that it is being deployed. The ‘Security Guidance for Critical Areas of Focus in cloud computing’ paper is mainly aimed at organisations that are preparing to move onto the Cloud, which slightly differs from the objective of this study, since the main focus (of this study) is to analyse the security that is to be provided by CSPs. Nevertheless, the information within this document is extremely significant to enable us to understand what customers look for when moving to the Cloud and thus what security measures should be offered by the CSPs.

Within the ‘Security Guidance for Critical Areas of Focus in cloud computing’ CSA advises individual organisations to identify data and assets that they consider outsourcing to the CSPs. Subsequently it recommends carrying out a risk assessment with a view to assess the confidentiality, integrity and availability requirements of the assets being outsourced. This will help in identifying which assets should actually be outsourced and which should not be outsourced to the CSP. The risk assessment will also help in identifying whether individual organisations should make use of a public or private Cloud, according to the security requirements of their assets. Finally, CSA’s paper stresses the importance of mapping out the data flows between the organisation and the CSP. This will ensure that prior to taking the final decision; the organisation would have identified all the risks that it would be exposed too. Once this process has been conducted the organisation can decide on the controls to look for when choosing a CSP. The 13 domains described within the ‘Security Guidance

for Critical Areas of Focus in cloud computing’ paper, provide guidance on the critical areas that need

most attention within the Cloud environment. Below is a high level summary of the CSA’s 13 domains (Alliance, 2009, p. 26):

1. A description of the complexities of the cloud computing architectural framework;

2. Governance and Enterprise Risk Management – this domain describes the importance that a CSP is able to manage the risks introduced by cloud computing;

3. Legal and Electronic Discovery – this domain describes the importance to know how to deal with legal complexities introduced by cloud computing;

(23)

managing, the data on the Cloud. CSA recommends compensating controls which can be utilized to deal with the loss of physical control when shifting data to the Cloud;

6. Portability and Interoperability – this domain describes the importance that a customer can move its data/services from one Cloud to another;

7. Traditional security, Business Continuity and Disaster Recovery – this domain describes the affects that the Cloud has on traditional practices and the importance that customers moving onto the Cloud are sure that this transition is correctly managed by the CSPs; 8. Data Centre Operations – this domain describes the characteristics that the CSPs’ data

centres should have in order to provide a secure Cloud environment;

9. Incident Response, Notification and Remediation – this domain describes the importance of having proper and adequate incident detection, response, notification, and remediation; 10. Application Security – this domain describes the importance that needs to be given to the

management of specific Cloud application security issues by the CSPs;

11. Encryption and Key Management – this domain describes the importance of proper utilization of encryption techniques used by the CSPs;

12. Identity and Access Management – this domain describes the importance of managing identities and access control within the Cloud. This section provides insight into assessing an organisation’s readiness to conduct cloud-based identity and access management; and 13. Virtualization – this domain describes the importance of management of virtual machines,

isolation between tenants and also security issues related to the hypervisor and underlying hardware infrastructure.

Another CSA initiative is that of the ‘Governance, Risk management and Compliance Stack’ (Alliance, GRC Stack website) which builds on the domains mentioned within ‘Security Guidance for Critical

Areas of Focus in cloud computing’. The GRC Stack, which is still being developed, “provides a toolkit for enterprises, cloud providers, security solution providers, IT auditors and other key stakeholders to instrument and assess both private and public clouds against industry established best practices, standards and critical compliance requirements.” (Alliance, GRC Stack website) The GRC Stack

(24)

© Robert Farrugia SRN 070440991 16 CSA’s work seems to have caught the eyes of many experts in the IT industry. AT&T, Cisco, Dell, IBM, Intel, Google, Novell, Rackspace, Terremark, Verisign and VMware are just a few of a number of organisations that have become members of CSA. Not to mention the considerable amount of experts contributing to CSA’s projects. For instance, more than ninety security experts contributed to the publication of the ‘Security Guidance for Critical Areas of Focus in cloud computing V2.1’ paper mentioned earlier.

In the author’s opinion the work carried out by CSA is very significant especially for this research. The fact that these papers and tools are aimed for the cloud computing environment means that most of the Cloud-specific risks will be adequately managed through the implementation of such tools. However, one must keep in mind that most of these tools are still being developed and therefore it may take some time before they are widely embraced and recognised as a standard which provides assurance, to customers, that Cloud-specific risks are being managed effectively.

3.1.2 Deloitte

Like any of the Big Four audit firms, Deloitte has its own cloud computing advisory service line. It has assisted a number of clients in shifting to the Cloud (Deloitte, Cloud Computing: Forecasting Change, 2009, p. 10). In order to do so Deloitte has adopted a risk-based approach that takes the following into consideration:

 User control over Cloud resources;

 Data secrecy, privacy and confidentiality;

 New threats emerging from new technologies;

 Access controls and use of the data on the Cloud;

 Application and platform security; and

 Security models on cloud computing.

Deloitte has made use of ISO 27001 and CoBIT as the foundations to the risk-based approach described above. This is because Deloitte believes that “accepted frameworks, such as ISO 27001,

Cobit and ISF – enable secure businesses through cloud computing” (Deloitte, Cloud Computing:

Forecasting Change, 2009, p. 11). In advising its clients, Deloitte also makes use of its team of lawyers to provide on-going legal assistance. Such assistance is required for the drafting of contracts, service level agreements and terms and conditions related to the Cloud.

Furthermore Deloitte advises its CSP clients to look into and implement robust controls that relate to: security management, operation security, vulnerability management, business continuity management, privacy and data protection, identity and access management, and application integrity. In order to provide 3rd parties (CSP’s customers) with assurance on the security of a Cloud, Deloitte suggests one of the following solutions:

 SAS 70 attestation or SAS 85 compliance; or

 ISO 27001.

(25)

3.1.3 European Network and Information Security Agency (ENISA)

ENISA aims to be the ‘pace-setter’ for Information security in Europe (ENISA, About-Enisa website). As one would expect, ENISA has an important role in the development of good information security practices within the cloud environment. This is filled by carrying out surveys, publishing research papers and organising workshops.

One of the key documents published by ENISA is the ‘cloud computing Information Assurance

Framework’ (ENISA, Information Assurance Framework, 2009). This document is based on the

domains of ISO 27001 / 2 and BS 25999 and relates only to Cloud-specific risks. The first part of the document specifies the importance of analysing the risks of the specific environment. The ‘cloud

computing Information Assurance Framework’ then continues to highlight the division of

responsibilities between the CSP and the customer. In the author’s opinion this is a very interesting concept because a customer may think that once he has outsourced his IT systems to the CSP he does not need to get involved with security any further. On the contrary this concept shows that customers still have responsibilities towards the security of the Cloud. For instance, if a customer is on an IaaS Cloud and has installed a Windows Server 2003, it is the customer’s responsibility to ensure that it has an antivirus, and that it is being regularly patched. The ‘cloud computing

Information Assurance Framework’ is presented as a set of questions that customers should be able

to answer in order to confirm assurance on the security employed by the CSP. These questions are organised in 10 domains. These are:

1. Personnel security; 2. Supply-chain assurance;

3. Operational security – this also incorporates software assurance, patch management, network and host architecture, application security (for both PaaS and SaaS) and resource provisioning;

4. Identity and access management; 5. Asset management;

6. Data and services portability; 7. Business Continuity Management; 8. Physical security;

9. Environmental controls; and 10. Legal requirements.

However, this assurance framework does not provide any information on how a CSP can prove compliance with such recommendations. Thus, one presumes that each cloud customer who wants to assess the security of the Cloud must go through the points and questions found under each domain.

(26)

3.1.4 Ernst and Young (EY)

Like the other big four firms, one of EY’s initiatives is to publish surveys that convey the opinion of businesses and organisations on specific areas and industries.

In its ‘13th Global Information Security Survey’ of 2010 (EY, IT Risk and Assurance) EY provides a

snapshot of the thoughts of major organisations with regards to cloud computing. In this survey, EY provides an analysis of why some organisations are moving onto the Cloud and why other organisations are still not embracing this new mind-set. More importantly, EY provides information on what gives or would give assurance to organisations with regards to the security employed by CSPs. EY asked a number of organisations the following question: “Would some kind of external

certification of cloud service providers increase your trust in cloud computing?” (EY, IT Risk and

Assurance). 43% of the respondents answered yes, however only if the certification was based on an agreed upon standard. 22% have said that for them external certification would be accepted only if the certifying body could show accreditation. 20% would accept any certification whilst the rest, 15%, have said that they would not accept any external certification.

As an outcome of this survey EY suggests that organisations planning to shift their operations to the Cloud, should define and establish minimum standards and security requirements that must be delivered by their CSP. This should then be reflected into contracts and service level agreements. Once these requirements are in place organisations should then focus on ensuring that their CSPs are compliant with the requirements as defined in the agreements.

3.1.5 Gartner

Gartner is one of the world’s leading companies in “information technology research and advice” (Gartner, Gartner's home page). One of Gartner’s objectives is to “deliver the technology-related

insight necessary for their clients to make the right decisions, every day” (Gartner, Gartner's home

page). As one would expect, Gartner also has its views on the cloud environment and its security. In a press release titled ‘Security Must Evolve as Organizations Move Beyond Virtualization to Private

Cloud Infrastructures’ (Gartner, Gartner Newroom, 2010) Gartner states that the security mentality

must evolve to include the six attribute, which are summarized hereunder:

 Security services must be on demand and elastic to protect data where and when protection is needed;

 Programmable infrastructure must be available to contribute also to better security controls;

 Policies should be more logically based to reflect the current Cloud dynamics;

 Security should be structured to reflect logical groups with the same characteristics;

 Configuration of security policy management should be more flexible; and

 Security policies must include not only the Cloud layer but also the underling infrastructure.

(27)

3.1.6 Information Security Forum (ISF)

The Information Security Forum (ISF) was founded in 1989 with the objective of being an independent source “that supplies authoritative opinion and guidance on all aspects of information

security.” (Information Security Forum) In order to achieve this goal, ISF publishes reports, carries

out surveys and provides tools to its members.

ISF has also established a number of initiatives with the aim to inform and provide tools to its members to address any security issues that can be found within cloud computing. In early February 2011, ISF published ‘Securing Cloud Computing: Addressing the seven deadly sins’, (ISF, 2011)with the aim to ensure and help “organisations make sure they reap the promised savings and

efficiencies” of the Cloud. (ISF, 2011) These seven deadly sins refer to situations within an

organisation were:

 the Cloud is already being used without management knowledge and approval;

 the organisation enters into contracts with little or no attention given to risk management;

 little or no assurance is provided by or available from cloud suppliers about how they manage the organisation’s information;

 information gets into the cloud that breaks laws and / or regulations;

 information is not protected at each stage of its lifecycle;

 no standards infrastructure are in place in the organisation to guarantee secure use of the Cloud leading to information leakage; and

 availability is assumed, but outages happen and cost real money.

The report offers details on the approach that organisations need to take in order to manage their operations on the Cloud. As an expansion of this report, ISF published a tool which includes controls that relate to these sins. This tool includes 62 high level actions that need to take place so as to ensure that any business making use of the Cloud is managing the issues identified by ISF.

The above description shows that the report and tool provided by ISF are more focused on how businesses manage the risks when moving and making use of Cloud services. However, it’s the author’s opinion that this information is very valuable to understand what customers should be looking for when moving and operating in this environment. Such views will be incorporated within this study.

3.1.7 Information Systems Audit and Control Association (ISACA)

(28)

© Robert Farrugia SRN 070440991 20 entitled ‘cloud computing: Business Benefits with Security, Governance and Assurance Perspective’ (ISACA, Cloud Computing: Business Beneftis with Security, Governance and Assurance Perspectives, 2009). In this paper, amongst other things, ISACA identifies a number of key areas that need to be addressed in order to provide assurance on the implementation of the Cloud. These are transparency, privacy, compliance (to laws, regulations, policies and procedures), and trans-border information flow and compliance certification.

However, maybe the best contribution with regards to cloud computing from ISACA is the “Cloud

Computing Management Audit/Assurance Program” (CCMAP) (ISACA, Cloud Computing

Management Audit/Assurance Program , 2010). This assurance program aims to:

 Provide stakeholders with an assessment of the effectiveness of the cloud computing service provider’s internal controls and security;

 Identify internal control deficiencies within the customer organization and its interface with the service provider; and

 Provide audit stakeholders with an assessment of the quality of and their ability to rely on the service provider’s attestations regarding internal controls.

From the above description, one denotes that the assurance program is meant to provide assurance to individual customers on the CSPs’ security controls and also on the customer’s control environment which is linked to the Cloud. This assurance program forms part of the ‘tools and

template’ section of ISACA’s ‘Information Technology Assurance Framework’ (ITAF) (ISACA,

Information Technology Assurance Framework). This assurance framework provides a comprehensive and good practice model for IT auditors to perform assurance work. It incorporates a number of mandatory standards and guiding principles which provide direction for the practice of IT audit and assurance. The tools and templates, such as the CCMAP provide the route in the application of a number of sections found within the ITAF.

The CCMAP is meant to be a starting point for providing assurance in the Cloud environment. The document specifies that the IT auditor may modify this program and that such document is not meant to be a checklist or questionnaire. The CCMAP is cross referenced to COBIT and also provides the basis for implementing a maturity model. This assurance program also makes clear reference to the importance of looking into a particular section of the ITAF, that of outsourcing (section 3630.6). Furthermore the CCMAP indicates that IT General Controls (section 3630 of the ITAF) may have varying levels of significance when providing assurance depending on the Cloud infrastructure under review. The CCMAP program focuses on:

 The governance affecting cloud computing - Within this section the CCMAP provides assurance on areas such as collaboration with regards to information security, metrics, enterprise risk management and third party risk management;

(29)

 Control issues specific to cloud computing - Within this section the CCMAP provides assurance on areas such as incident response, notification and remediation, application security, data security and integrity, identity and access management and virtualization. In the author’s opinion both the ‘cloud computing: Business Benefits with Security, Governance and

Assurance Perspective’ (ISACA, Cloud Computing: Business Beneftis with Security, Governance and

Assurance Perspectives, 2009) and ‘cloud computing Management Audit/Assurance Program’ (ISACA, Cloud Computing Management Audit/Assurance Program , 2010) provide insight on what CSPs should provide to their customers with regards to information security. Moreover a closer analysis at the ‘Computing Management Audit/Assurance Program’ shows that ISACA is proposing that the main areas of assurance relate to the importance that customers do not lose control of the security of their systems and data, that contractual obligations specific to this environment are in place and that assurance is specifically provided for the Cloud service engine. The author believes that the ‘Computing Management Audit/Assurance Program’ is a very interesting tool because it is designed to provide assurance on specific Cloud-related issues.

3.1.8 KPMG

With regards to securing the Cloud environment, KPMG has taken, what it calls a ‘Unified IT

Compliance approach’ (Matuszak, et al., 2009, p. 7) which aims to mitigate the risks that CSPs face

whilst offering their Cloud services. This approach was specifically designed to make up for the lack of specific standards within the Cloud environment and also to address the issue of CSPs being requested, by their customers, to be compliant with a number of international standards. According to KPMG, besides achieving an adequate level of security, this risk-based approach helps in reducing the significant burden of compliance monitoring and testing for different standards.

The Unified IT Compliance Approach is made up of five domains which include Governance, Risk Management, Compliance, Continuous Improvement and Unified Control Processes. The diagram 3.1.8.a depicts the role of each domain and how these interact with each other.

(30)

© Robert Farrugia SRN 070440991 22 The basis of the Unified IT Compliance framework is ISO 27001. The choice of ISO 27001 is based on the fact that the standard “has gained broad international acceptance as a solid framework for

information security focused controls” (Placeholder1p. 9). The framework is then enhanced through

specific controls relating to cloud computing. These controls relate mainly to data protection, data segregation, data encryption and standards, logging, authentication and monitoring.

KPMG’s approach attempts to provide a management framework which offers assurance on a number of Cloud-specific issues. The Governance component provides assurance that security is managed adequately by the CSP. The Risk management component provides assurance that a CSP has embarked on a risk-based approach and thus has identified and acted on all the risks related to this environment. Continuous improvement implies that monitoring is in place to ensure controls are being efficiently and effectively implemented within the Cloud. The compliance component ensures that controls are tested on a periodical basis, whilst the Unified Control Process component refers to the control activities executed by the CSP’s personnel. The Control Process component may include traditional controls and Cloud-specific controls. In the author’s opinion the interactions of these components provides a good management framework which eventually offers assurance to customers with regards to the CSPs’ information security management framework.

KPMG has identified ISO 27001, SAS 70 and Trust services (Systrust and Webtrust) as the main recognized audit approaches to provide assurance to 3rd parties on the security of the Cloud. According to KPMG, ISO 27001 is applicable when customers need assurance on the security program employed by the CSP whilst SAS 70 is a “tool to support the financial audits of customers

that use service organisations” (Matuszak, et al., 2009, p. 10). On the other hand the Trust Services

framework may be appropriate to demonstrate that CSPs have security controls in place that have been operating effectively over a period of time.

3.1.9 PwC

PwC (PricewaterhouseCoopers) also offers a wide range of services related to the Cloud environment. PwC advertises itself as an independent 3rd party that can provide assurance on the effectiveness of the controls employed by a CSP. PwC has identified the following as key areas to look into whilst providing such assurance:

 Security policies and procedures – this typically includes assurance on the type of encryption being used. It also provides assurance that the identification and authentication mechanisms and access management capabilities are in line with good practice;

 Availability management – this typically includes assurance on monitoring procedures, levels of availability and adherence to service level agreements;

 Adherence to privacy requirements; and

 Data and transaction processing capability.

In the report ‘Protecting your brand in the cloud: Transparency and trust through enhanced

A STUDY ON HOW A CLOUD SERVICE PROVIDER CAN OFFER ADEQUATE SECURITY TO ITS CUSTOMERS